/*
* This is a worthless, nonrunnable example of a named.conf file
that has
* every conceivable syntax element in use. We use it to test the
parser.
* It could also be used as a conceptual template for users of new
features.
*/
/*
* C-style comments are OK
*/
// So are C++-style comments
# So are shell-style comments
// watch out for ";" -- it's important!
options {
directory "/var/named";
// use current directory
named-xfer "/usr/libexec/named-xfer";
// _PATH_XFER
dump-file "named_dump.db";
// _PATH_DUMPFILE
pid-file "/var/run/named.pid";
// _PATH_PIDFILE
statistics-file "named.stats";
// _PATH_STATS
memstatistics-file "named.memstats";
// _PATH_MEMSTATS
check-names master fail;
check-names slave warn;
check-names response ignore;
host-statistics no;
deallocate-on-exit no;
// Painstakingly deallocate all
// objects when exiting instead of
// letting the OS clean up for us.
// Useful a memory leak is suspected.
// Final statistics are written to the
// memstatistics-file.
datasize default;
stacksize default;
coresize default;
files unlimited;
recursion yes;
fetch-glue yes;
fake-iquery no;
notify yes;
// send NOTIFY messages. You can set
// notify on a zone-by-zone
// basis in the "zone" statement
// see (below)
serial-queries 4;
// number of parallel SOA queries
// we can have outstanding for master
// zone change testing purposes
auth-nxdomain yes;
// always set AA on NXDOMAIN.
// don't set this to 'no' unless
// you know what you're doing -- older
// servers won't like it.
multiple-cnames no;
// if yes, then a name my have more
// than one CNAME RR. This use
// is non-standard and is not
// recommended, but it is available
// because previous releases supported
// it and it was used by large sites
// for load balancing.
allow-query { any; };
allow-transfer { any; };
transfers-in 10;
// DEFAULT_XFERS_RUNNING, cannot be
// set > than MAX_XFERS_RUNNING (20)
transfers-per-ns 2;
// DEFAULT_XFERS_PER_NS
transfers-out 0;
// not implemented
max-transfer-time-in 120;
// MAX_XFER_TIME; the default number
// of minutes an inbound zone transfer
// may run. May be set on a per-zone
// basis.
transfer-format one-answer;
query-source address * port *;
/*
* The "forward" option is only meaningful if you've defined
* forwarders. "first" gives the normal BIND
* forwarding behavior, i.e. ask the forwarders first, and if that
* doesn't work then do the full lookup. You can also say
* "forward only;" which is what used to be specified with
* "slave" or "options forward-only". "only" will never attempt
* a full lookup; only the forwarders will be used.
*/
forward first;
forwarders { };
// default is no forwarders
topology { localhost; localnets; };
// prefer local nameservers
listen-on port 53 { any; };
// listen for queries on port 53 on
// any interface on the system
// (i.e. all interfaces). The
// "port 53" is optional; if you
// don't specify a port, port 53
// is assumed.
/*
* Interval Timers
*/
cleaning-interval 60;
// clean the cache of expired RRs
// every 'cleaning-interval' minutes
interface-interval 60;
// scan for new or deleted interfaces
// every 'interface-interval' minutes
statistics-interval 60;
// log statistics every
// 'statistics-interval' minutes
maintain-ixfr-base no;
// If yes, keep transaction log file for IXFR
max-ixfr-log-size 20;
// Not implemented, maximum size the
// IXFR transaction log file to grow
};
/*
* Control listeners, for "ndc". Every nameserver needs at least
one.
*/
controls {
inet * port 52 allow { any; };
// a bad idea
unix "/var/run/ndc" perm 0600 owner 0 group 0;
// the default
};
zone "rd.xxx.com" in {
type master;
// what used to be called "primary"
file "rd.xxx.com.db";
check-names fail;
allow-update { none; };
allow-transfer { any; };
allow-query { any; };
// notify yes;
// send NOTIFY messages for this
// zone? The global option is used
// if "notify" is not specified
// here.
also-notify { };
// don't notify any nameservers other
// than those on the NS list for this
// zone
};
zone "223.99.211.in-addr.arpa" in {
type master;
// what used to be called "secondary"
file "21.9.22.db";
};
zone "0.0.127.in-addr.arpa" in {
type master;
file "127.0.0.db";
};
zone "." in {
type hint;
// used to be specified w/ "cache"
file "named.root";
};
logging {
/*
* All log output goes to one or more "channels"; you can make
as
* many of them as you want.
*/
channel syslog_errors {
// this channel will send errors or
syslog user;
// or worse to syslog (user facility)
severity error;
};
category parser {
syslog_errors;
// you can log to as many channels
default_syslog;
// as you want
};
category lame-servers { null; };
// don't log these at all
channel moderate_debug {
severity debug 3;
// level 3 debugging to file
file "foo";
// foo
print-time yes;
// timestamp log entries
print-category yes;
// print category name
print-severity yes;
// print severity level
/*
* Note that debugging must have been turned on either
* on the command line or with a signal to get debugging
* output (non-debugging output will still be written to
* this channel).
*/
};
/*
* If you don't want to see "zone XXXX loaded" messages but do
* want to see any problems, you could do the following.
*/
13、在/var/named/中生成/etc/named.conf中標記的文件:rd.xxx.com.db,
內容如下,需要修改和調整相應部分:
;Authoriative data for rd.xxx.com
;
$TTL 3600
@ IN SOA compaq.rd.xxx.com. tandongyu.rd.xxx.com. (
20020101 ;Serial
3600 ;Refresh 1 hour
900 ;Retry 15 mins
604800 ;Expire 7 days
86400) ;Mini 24 hours
;Name server NS records
@ IN NS compaq.rd.xxx.com.
;Mail Exchange (MX) records
rd.xxx.com. IN MX 0 compaq
;Address (A) records.
localhost IN A 127.0.0.1
compaq IN A 21.9.22.9
tls65 IN A 21.9.22.8
fbsd IN A 21.9.22.7
;
;
$TTL 3600
@ IN SOA compaq.rd.xxx.com. tandongyu.rd.xxx.com. (
20020101 ;Serial
3600 ;Refresh
900 ;Retry 15 mins
604800 ;Expire 7 days
86400) ;Mini 24 hours
;NameServer (NS) records
@ IN NS compaq.rd.xxx.com.
;Address Point to Name (PTR) records
9 IN PTR compaq.rd.xxx.com.
8 IN PTR tls65.rd.xxx.com.
7 IN PTR fbsd.rd.xxx.com.
; This file holds the information on root name servers
needed to
; initialize cache of Internet domain name servers
; (e.g. reference this file in the "cache . "
; configuration file of BIND domain name servers).
;
; This file is made available by InterNIC registration services
; under anonymous FTP as
; file /domain/named.root
; on server FTP.RS.INTERNIC.NET
; -OR- under Gopher at RS.INTERNIC.NET
; under menu InterNIC Registration Services
(NSI)
; submenu InterNIC Registration Archives
; file named.root
;
; last update: Aug 22, 1997
; related version of root zone: 1997082200
;
;
; formerly NS.INTERNIC.NET
;
. 3600000 IN NS A.ROOT-SERVERS.NET.
divert(-1)
dnl This is the macro config file used to generate the
/etc/sendmail.cf
dnl file. If you modify thei file you will have to regenerate the
dnl /etc/sendmail.cf by running this macro config through the m4
dnl preprocessor:
dnl m4 /etc/sendmail.mc > /etc/sendmail.cf
dnl You will need to have the Sendmail-cf pacage installed for
this to work.
include(`/usr/local/src/sendmail-8.12.2/cf')
define(`confDEF_USER_ID',`8:12')
OSTYPE(`linux')
undefine(`UUCP_RELAY')
undefine(`BITNET_RELAY')
define(`confTO_CONNECT', `1m')
define(`confTRY_NULL_MX_LIST',true)
define(`confDONT_PROBE_INTERFACES',true)
define(`PROCMAIL_MAILER_PATH',`/usr/bin/procmail')
define(`SMART_HOST',compaq.rd.xxx.com)
<---這條用於(非HUB)缺省使用HUB發送郵件
MASQUERADE_AS(`rd.xxx.com')
<-------------------------
FEATURE(`masquerade_entire_domain')
<---這三條用於郵件地址偽裝
FEATURE(`masquerade_envelope')
<-------------------------
FEATURE(`smrsh',`/usr/sbin/smrsh')
FEATURE(`mailertable',`hash -o /etc/mail/mailertable')
FEATURE(`virtusertable',`hash -o /etc/mail/virtusertable')
FEATURE(redirect)
FEATURE(always_add_domain)
FEATURE(use_cw_file)
FEATURE(local_procmail)
FEATURE(`access_db')
FEATURE(`blacklist_recipients')
FEATURE(`accept_unresolvable_domains')
MAILER(smtp)
MAILER(procmail)
dnl We strongly recommend to comment this one out if you want to
protect
dnl yourself from spam. However, the laptop and users on computers
that do
dnl not hav 24x7 DNS do need this.
dnl FEATURE(`relay_based_on_MX')
# Fixed IP addresses can also be specified for hosts. These
addresses
# should not also be listed as being available for dynamic
assignment.
# Hosts for which fixed IP addresses have been specified can boot
using
# BOOTP or DHCP. Hosts for which no fixed address is specified can
only
# be booted with DHCP, unless there is an address range on the
subnet
# to which a BOOTP client is connected which has the dynamic-bootp
flag
# set.
# You can declare a class of clients and then do address
allocation
# based on that. The example below shows a case where all
clients
# in a certain class get addresses on the 10.17.224/24 subnet, and
all
# other clients get addresses on the 10.0.29/24 subnet.
#class "foo" {
# match if substring (option vendor-class-identifier, 0, 4) =
"SUNW";
#}
#shared-network 224-29 {
# subnet 10.17.224.0 netmask 255.255.255.0 {
# option routers rtr-224.example.org;
# }
# subnet 10.0.29.0 netmask 255.255.255.0 {
# option routers rtr-29.example.org;
# }
# pool {
# allow members of "foo";
# range 10.17.224.10 10.17.224.250;
# }
# pool {
# deny members of "foo";
# range 10.0.29.10 10.0.29.230;
# }
cp -rp install/unix local
cd local
make
mv rsaref.a librsaref.a
22、[openssl-engine-0.9.6c]:openssl引擎
./config -prefix=/usr/local/ssl -L`pwd`/../rsaref-2.0/local/
rsaref –fPIC
make
make test
make install
23、[mod_ssl-2.8.6-1.3.23]
./configure --with-apache=../apache_1.3.23
24、[apache_1.3.23]步驟二
./configure --prefix=/usr/local/apache --enable-shared=ssl
--enable-module=ssl
--activate-module=src/modules/php4/libphp4.a
make
make certificate TYPE=custom(回答一些問題)
make install
Networking options中
[*] Network firewalls
[*] IP: advanced router
[*] IP: firewalling
[*] IP: firewall packet netlink device
[*] IP: transparent proxy support
[*] IP: masquerading
[*] IP: ICMP masquerading
[*] IP: masquerading special modules support
IP: ipautofw masq support (EXPERIMENTAL)
IP: ipportfw masq support (EXPERIMENTAL)
IP: ip fwmark masq-forwarding support (EXPERIMENTAL)
[*] IP: masquerading virtual server support (EXPERIMENTAL)
(12) IP masquerading VS table size (the Nth power of 2)
~/sslca#/usr/lib/ssl/misc/CA.sh -newca
CA certificate filename (or enter to create)
(enter)
Making CA certificate ...
Using configuration from /usr/lib/ssl/openssl.cnf
Generating a 2048 bit RSA private key
........................................+++
........................................+++
writing new private key to './demoCA/private/./cakey.pem'
Enter PEM pass phrase:(enter password)
Verifying password - Enter PEM pass phrase:(enter same password
again)
-----
You are about to be asked to enter
information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name
or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US(enter)
State or Province Name (full name) [Some-State]:State(enter)
Locality Name (eg, city) []:City(enter)
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
21vianet(enter)
Organizational Unit Name (eg, section) []:(enter)
Common Name (eg, YOUR name) []:CA(enter)
Email Address []:[email protected](enter)
~/sslca#
2.7 下一步是給網關生成證書:
命令和要回答的問題如下:
~/sslca# /usr/lib/ssl/misc/CA.sh -newreq
Using configuration from /usr/lib/ssl/openssl.cnf
Generating a 2048 bit RSA private key
...................................+++
...............................+++
writing new private key to 'newreq.pem'
Enter PEM pass phrase:(enter password)
Verifying password - Enter PEM pass phrase:(repeat password)
-----
You are about to be asked to enter information that will be
incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name
or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US(enter)
State or Province Name (full name) [Some-State]:State(enter)
Locality Name (eg, city) []:City(enter)
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
ExampleCo(enter)
Organizational Unit Name (eg, section) []:(enter)
Common Name (eg, YOUR name) []:vpnserver.rd.xxx.com(enter)
Email Address []:[email protected](enter)
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:(enter)
An optional company name []:(enter)
Request (and private key) is in newreq.pem
natecars@buzzword:~/sslca$ /usr/lib/ssl/misc/CA.sh -sign
Using configuration from /usr/lib/ssl/openssl.cnf
Enter PEM pass phrase:(password you entered for the ca
certificate)
Check that the request matches the signature
Signature ok
The Subjects Distinguished Name is as follows
countryName :PRINTABLE:'US'
stateOrProvinceName :PRINTABLE:'State'
localityName :PRINTABLE:'City'
organizationName :PRINTABLE:'21vianet'
commonName :PRINTABLE:'vpnserver.rd.xxx.com'
emailAddress :IA5STRING:'[email protected]'
Certificate is to be certified until Feb 13 16:28:40 2012 GMT
(3650 days)
Sign the certificate? [y/n]:y(enter)
1 out of 1 certificate requests certified, commit? [y/n]y(enter)
Write out database with 1 new entries
Data Base Updated
(certificate snipped)
Signed certificate is in newcert.pem
輸入哪個.p12 文件的路徑 (就是剛才你從服務器網關復制過來的,浏覽選擇也
可), 然後點'Next' 輸入export password(密碼), 然後點Next 選
'Automatically select the certificate store based on the type of
certificate', 然後點Next 點Finish, 如果有任何提示窗口彈出都選yes 退出
MMC, 保存當前配置到管理工具中,這樣就不用每次都重新來過了。以上所做就增
加了一個證書到總經理的機器上。
C:ipsec>ipsec
IPSec Version 2.1.4 (c) 2001,2002 Marcus Mueller
Getting running Config ...
Microsoft's Windows XP identified
Host name is: (local_hostname)
No RAS connections found.
LAN IP address: (local_ip_address)
Setting up IPSec ...